head

Description

Returns the first N number of specified results in search order. This means the most recent N events for a historical search, or the first N captured events for a real-time search. The search results are limited to the first results in search order.

There are two types of limits that can be applied: an absolute number of results, or an expression where all results are returned until the expression becomes false.

If no options or limits are explicitly stated, the head command returns the first 10 results.

If a numeric limit such as a numeric literal or the flag limit=int is used, the head command returns the first N results where N is the selected number. Using both numeric limit syntaxes results in an error.

If an eval expression is used, all initial results are returned until the first result where the expression evaluates as false. In this case, no results are returned. The result where the expression evaluates as false is kept or dropped in accordance with the keeplast option.

If both a numeric limit and an eval expression are used, the smaller of the two constraints applies. For example

... |head limit=10 (1==1)

returns up to the first 10 results, because the eval expression is always true. However,

Syntax

Required arguments

If no options or limits are specified, the head command returns the first 10 results.

Optional arguments

<N>

Syntax: <int>

Description: The number of results to return.

Default: 10

limit

Syntax: limit=<int>

Description: Another way to specify the number of results to return.

Default: 10

eval-expression

Syntax: <eval-compare-exp> | <eval-bool-exp>

Description: A valid eval expression that evaluates to a Boolean. The search returns results until this expression evaluates to false. For more information, see the evaluation functions in the Search Reference.

keeplast

Syntax: keeplast=<bool>

Description: Use in conjunction with the eval-expression argument to determine whether the last result in the result set is retained. The last result returned is the result that caused the eval-expression to evaluate to false or NULL. Set keeplast to true to retain the last result in the result set. Set keeplast to false to discard the last result.

Default: true

null

Syntax: null=<bool>

Description: Use in conjunction with the eval-expression argument to specify how a NULL result is treated. For example, if the eval expression is (x > 10) and the field x does not exist, the expression evaluates to NULL instead of true or false. Set null to true to have the head command continue when it gets a NULL result. Set null to false to have the head command stop when it when it gets a NULL result.

Default: false

Usage

The head command is a centralized streaming command. See Command types.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »